Information Security

CMS Information Security Program Overview

"Holding Ourselves to a Higher Standard"


The CMS information security virtual handbook is intended to serve as your “one stop” resource for all things related to CMS information security.  On this page, you’ll find links to all CMS information security policies, standards, procedures, and guidelines as well as computer based training, user ID assignment and complete instructions on what to do if you suspect that a security incident has occurred.  The links on the left hand side of the page provide supplementary guidance on CMS policy, however, for a brief snapshot and high-level overview of some of our core programs, please take a look at the information provided below:

Security in the Systems Development Lifecycle (SDLC) 

Early consideration of security and its subsequent integration into every aspect of the system development life cycle not only ensures the long-term protection of sensitive information, it also prevents costly, duplicative effort after the project’s completion.  If you are a developer and you have any questions regarding how to integrate security into your product, the “System Lifecycle Framework” provides complete details related to the CMS Integrated IT Investment & System Life Cycle Framework (ILC).  The CMS Information Technology - General document, may also provide useful supplemental guidance.

Security Assessment and Authorization (SA&A) 

The security Assessment and Authorization (SA&A) process, formerly known as Certification and Accreditation (C&A), is the methodology by which an organization establishes and then demonstrates a sound information security posture for a specific system. Throughout this rigorous process, the Information System Security Officer (ISSO) will serve as your primary point of contact for system security issues and policy guidance.   ISSOs act as an important liaison between the CMS Chief Information Security Officer (CISO) and the many business components within CMS.  A complete listing of CMS’s ISSO’s can be found in CMS ISSOs (PDF - 63 Kb). (See Related Links below)

Security Control Assessment (SCA) 

The Security Control Assessment, formerly known as a Security Test and Evaluation (ST&E), is a detailed evaluation of the controls protecting an information system.  The security control assessment determines the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.  Requirements for control assessments are described in the CMS Acceptable Risk Safeguards (ARS) in the Security Assessment and Authorization (CA) section of the document.

Information Security Library 

Almost any question you have related to the CMS Information Security program can probably be answered in one brief visit to the CMS Information Security Library.  Use the convenient search tool to quickly locate relevant policies, procedures and guidelines.

The National Institute of Standards and Technology (NIST) established many of the foundational security standards that help protect our Nation’s Information Technology infrastructure.  A Complete listing of NIST publications can be found at (See Related Links below)


The CMS “Spotlight” portal keeps you up-to-date with the latest changes to CMS and related Federal policies and also highlights many of the foundational components of the CMS Information Security Program. Here you will find many of the most current, common standards, procedures, and policy documents applicable to CMS. 

Enterprise User Administration (EUA) 

A CMS User ID serves as your “virtual security badge,” for CMS Networks, granting you access to information and resources that you are authorized to see and preventing access to information and resources that you are not authorized to see.  Management of most CMS User ID’s is accomplished through the Enterprise User Administration (EUA) system.  Additional information regarding the EUA system can be found under the “CMS System User Information” heading.  If you would like information on the Medicare Advantage and Prescription Drug Plans (MAPD) as well as the CMS enterprise Identity Management and Authentication system (IACS), click here IACS.

Computer Based Training (CBT) 

Initial computer based training helps to establish a foundation of information security understanding and competency across the extended CMS enterprise and subsequent refresher training ensures that the foundation remains sound over time.  Computer based training (CBT) is mandatory for most users of CMS Information Systems and is normally conducted upon initial CMS User ID assignment and then annually when recertification of the CMS User ID is required.  For additional details about the CBT program, please select the “Computer Based Training” tab on the left hand side of the page.  Access to the “Information Security CBT” is at the bottom of the page and is restricted to authorized users only.

Security Incidents 

Known or suspected security or privacy incidents involving CMS information or information systems must be reported immediately to the CMS IT Service Desk by calling 410-786-2580 or 1-800-562-1963, or via e-mail to  Additionally, please contact your ISSO as soon as possible and apprise them of the situation. 

CISO Mailbox 

Do you have a question or concern related to CMS Information Security?  Send an email to the CISO Team at